CVE CyberSecurity Database News

CVE-2024-52304 - Request Smuggling Vulnerability in aiohttp - Details & Simple Exploit Example

Poster -

On May 2024, a new security flaw was discovered in aiohttp, a popular asynchronous HTTP library for Python. This vulnerability, found in versions before 3.10.11, is tracked as CVE-2024-52304 and exposes systems to *request smuggling* attacks when special conditions are met. In this article, we’ll break down what the CVE means, how it works, and how you can test for and fix the issue.

What is aiohttp?

aiohttp is a modern HTTP client and server library designed for asynchronous workloads that use the Python standard library’s asyncio. It’s heavily used in web applications, APIs, and even reverse proxies.

What is Request Smuggling?

Request smuggling is a web vulnerability where an attacker crafts HTTP requests in such a way that web servers and proxies interpret them differently. This allows attackers to “smuggle” hidden HTTP requests through intermediary devices—potentially bypassing authentication, firewalls, or accessing other users' data.

How Does CVE-2024-52304 Happen?

The heart of the issue lies in how aiohttp’s *pure Python* HTTP parser (not the default, faster C extension) deals with chunked request bodies and their “extension” fields. If a newline character is incorrectly parsed in one of these extensions, a crafted request can trick aiohttp into misinterpreting where one request ends and another begins. This is a classic setup for request smuggling.

You’re running aiohttp before 3.10.11.

- You're using *no C extensions*, either by installing a pure Python version or explicitly setting the AIOHTTP_NO_EXTENSIONS environment variable.

Exploit Example

Let’s see how a malicious client might abuse this flaw. Imagine a reverse proxy (like nginx) sits in front of an aiohttp server. The attacker sends a crafted POST request with a chunked body extension that includes a clever newline, so the proxy thinks it has seen the end of the request, but aiohttp does not. Thus, aiohttp reads more data, possibly mixing legitimate and attacker data.

Example vulnerable request

POST / HTTP/1.1
Host: victim.site
Transfer-Encoding: chunked
Content-Type: text/plain

5;ext=x
hello

\ndummy-header: injected
GET /admin HTTP/1.1
Host: victim.site

*Notice the line:*
\ndummy-header: injected

In this case, the reverse proxy parses up to the (end of chunked body) and thinks the request ended, but because aiohttp’s old parser mishandles the newline within chunk extensions, it continues to process the GET /admin HTTP/1.1 as a new (unfinished) request! This can let attackers sneak requests past security controls.

To programmatically check if your server is using the C extension or not

import aiohttp

def check_for_extensions():
    if getattr(aiohttp._http_parser, 'HttpParser', None) is not None:
        print("C extension is enabled. Safer.")
    else:
        print("C extension is NOT enabled. Vulnerable to CVE-2024-52304!")

check_for_extensions()

Steal session cookies: If “smuggled” requests reach web applications with active sessions.

- Trigger weird behaviors: Causing desyncs between application logic and frontend proxies/gateways.

Upgrade aiohttp now to version 3.10.11 or later!

pip install --upgrade aiohttp

More Reading & References

- Official Github Advisory
- NVD Entry for CVE-2024-52304
- How HTTP Request Smuggling Works (PortSwigger)

Conclusion

CVE-2024-52304 is a powerful reminder that edge cases in protocol handling—the ones that rarely come up—can be used by attackers to breach layers of security. If your Python web environment uses aiohttp, especially with its pure Python implementation, *patch now* and stay safe!

Timeline

Published on: 11/18/2024 21:15:06 UTC
Last modified on: 11/21/2024 14:15:17 UTC